[EXTERNAL] [PATCH] net/octeontx: fix buffer overflow in device name formatting

Jerin Jacob jerinj at marvell.com
Mon Jun 8 17:29:32 CEST 2026

Previous message (by thread): [PATCH 1/1] ml/cnxk: support for 64-bit int type in metadata
Next message (by thread): [EXTERNAL] [PATCH] net/octeontx/base: fix out-of-bounds read in DQ range lookup
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Applied to dpdk-next-net-mrvl/for-main. Thanks

________________________________
From: Sergei Iashin <yashin.sergey at gmail.com>
Sent: Tuesday, April 7, 2026 1:27 PM
To: Harman Kalra <hkalra at marvell.com>; Jerin Jacob <jerinj at marvell.com>; Santosh Shukla <santosh.shukla at caviumnetworks.com>
Cc: dev at dpdk.org <dev at dpdk.org>; stable at dpdk.org <stable at dpdk.org>; jerin.jacob at caviumnetworks.com <jerin.jacob at caviumnetworks.com>; Sergei Iashin <yashin.sergey at gmail.com>
Subject: [EXTERNAL] [PATCH] net/octeontx: fix buffer overflow in device name formatting

Replace sprintf with snprintf when formatting into the fixed-size octtx_name buffer in octeontx_create and octeontx_remove. The device name can be up to 63 bytes (RTE_DEV_NAME_MAX_LEN) while the buffer is only 32 bytes (OCTEONTX_MAX_NAME_LEN),
ZjQcmQRYFpfptBannerStart
Prioritize security for external emails:
Confirm sender and content safety before clicking links or opening attachments
Report Suspicious<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/CRVmXkqW!tm3Z1f8UYnVa9O-8WX26DsK-0LaBO_9qwE4pEx2cpcKfFql8RWpbr-t0B-4n0FjU7XSDAvlitsV3KK8Ua-2nw37gJz6mivFAuDI$>

ZjQcmQRYFpfptBannerEnd

Replace sprintf with snprintf when formatting into the fixed-size
octtx_name buffer in octeontx_create and octeontx_remove. The device
name can be up to 63 bytes (RTE_DEV_NAME_MAX_LEN) while the buffer
is only 32 bytes (OCTEONTX_MAX_NAME_LEN), which may cause a stack
buffer overflow with a long user-provided --vdev name.

Fixes: f18b146c498d ("net/octeontx: create ethdev ports")
Cc: stable at dpdk.org

Signed-off-by: Sergei Iashin <yashin.sergey at gmail.com>
---
 drivers/net/octeontx/octeontx_ethdev.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/octeontx/octeontx_ethdev.c b/drivers/net/octeontx/octeontx_ethdev.c
index 21e3e56901..e4dca30d9d 100644
--- a/drivers/net/octeontx/octeontx_ethdev.c
+++ b/drivers/net/octeontx/octeontx_ethdev.c
@@ -1555,7 +1555,7 @@ octeontx_create(struct rte_vdev_device *dev, int port, uint8_t evdev,

        PMD_INIT_FUNC_TRACE();

-       sprintf(octtx_name, "%s_%d", name, port);
+       snprintf(octtx_name, sizeof(octtx_name), "%s_%d", name, port);
        if (rte_eal_process_type() != RTE_PROC_PRIMARY) {
                eth_dev = rte_eth_dev_attach_secondary(octtx_name);
                if (eth_dev == NULL)
@@ -1711,7 +1711,7 @@ octeontx_remove(struct rte_vdev_device *dev)
                return -EINVAL;

        for (i = 0; i < OCTEONTX_VDEV_DEFAULT_MAX_NR_PORT; i++) {
-               sprintf(octtx_name, "eth_octeontx_%d", i);
+               snprintf(octtx_name, sizeof(octtx_name), "eth_octeontx_%d", i);

                eth_dev = rte_eth_dev_allocated(octtx_name);
                if (eth_dev == NULL)
--
2.39.5

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mails.dpdk.org/archives/dev/attachments/20260608/6541621d/attachment-0001.htm>

Previous message (by thread): [PATCH 1/1] ml/cnxk: support for 64-bit int type in metadata
Next message (by thread): [EXTERNAL] [PATCH] net/octeontx/base: fix out-of-bounds read in DQ range lookup
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list